Two Popular Anti-Forensic Techniques


Purposely overwriting data is one of the oldest anti-forensic techniques. This usually involves the use of software designed to perform one of three basic functions.

The first form of wiping involves writing over the entire digital media so as to overwrite any data that was previously there. The second most common form of wiping involves overwriting individual files and any remnants of those files in other portions of the digital media. The third most common technique is the overwriting of unallocated or free space on the digital media. For example, magnetic based media such as a hard drive once in use by an operating system will contain allocated space and unallocated space. Allocated data is what is currently active and accessible on the hard drive. This will include data such as a jpeg file, document, text file, Windows Operating System file, etc.

The unallocated space on a hard drive is the portion of the hard drive which has been marked as free and usable, usually by an operating system. This unallocated hard drive space can be used to write new files and data which then belong to the allocated portion of the hard drive.

When a file such as a jpeg is deleted on a Windows operating system in a normal manner by first sending the file to the recycle bin and then by emptying the recycle bin, that file has not actually been “deleted”. Rather it has been marked as unallocated and can now be used by the operating system to write new data. The use of wiping software to wipe the unallocated portion of a hard drive will effectively write over all files that have been previously deleted. This will render the data unrecoverable, effectively rendering review and recovery of unallocated and previously deleted files on this hard drive impossible with the technology of today.

Aside from simply wiping digital media, another popular technique is the use of software which will encrypt an entire digital media or just files. Encryption is the process of taking plaintext data and using a cipher or algorithm, making it unreadable to anyone except for those who posses the key, password or some other device to decrypt the data. Encryption has become quite common and the systems and software to employ encryption are becoming easier to use and manage by the average computer user.

One of the most common forms of data encryption that does not involve the transmission of data is file level encryption. This anti-forensics technique is employed quite commonly and is used to hide files such as important documents, pictures and other data from governments, rival businesses and even spouses.

Another very common form of encryption involves encrypting the entire digital medium, such as a hard drive. This means that both allocated and unallocated file space can be encrypted. This will prevent a computer forensics examiner or other individual from accessing and recovering files that have been deleted or are currently active on a digital medium. Anti-forensics methods are not limited to just these two techniques. There are many techniques that can be used to protect the privacy and confidentiality of data.

Leave a Reply